Wordpress recently released 3.6.1 update which fixes several security issues, some of them being as critical as a Remote Code Execution. Also, some security settings modification was done to avoid execution of certain files. Version 3.6.1 fixes three security issues: * Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. * Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website. * Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post "written by" another user. Additional security hardening: * Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.
Created wordpress tracking bugs for this issue: Affects: fedora-all [bug 1007343] Affects: epel-all [bug 1007344]
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4338 to the following vulnerability: Name: CVE-2013-4338 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338 Assigned: 20130612 Reference: http://codex.wordpress.org/Version_3.6.1 Reference: http://core.trac.wordpress.org/changeset/25325 Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/ wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4339 to the following vulnerability: Name: CVE-2013-4339 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339 Assigned: 20130612 Reference: http://codex.wordpress.org/Version_3.6.1 Reference: http://core.trac.wordpress.org/changeset/25323 Reference: http://core.trac.wordpress.org/changeset/25324 Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/ WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4340 to the following vulnerability: Name: CVE-2013-4340 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340 Assigned: 20130612 Reference: http://codex.wordpress.org/Version_3.6.1 Reference: http://core.trac.wordpress.org/changeset/25321 Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/ wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5738 to the following vulnerability: Name: CVE-2013-5738 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738 Assigned: 20130911 Reference: http://codex.wordpress.org/Version_3.6.1 Reference: http://core.trac.wordpress.org/changeset/25322 Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/ The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5739 to the following vulnerability: Name: CVE-2013-5739 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739 Assigned: 20130911 Reference: http://codex.wordpress.org/Version_3.6.1 Reference: http://core.trac.wordpress.org/changeset/25322 Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/ The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
External References: http://wordpress.org/news/2013/09/wordpress-3-6-1/
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.